CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 29 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-11649 | Hig | 0.57 | 8.8 | 0.01 | Mar 7, 2018 | Cross-site request forgery (CSRF) vulnerability in DrayTek Vigor AP910C devices with firmware 1.2.0_RC3 build r6594 allows remote attackers to hijack the authentication of unspecified users for requests that enable SNMP on the remote device via vectors involving goform/setSnmp. | ||
| CVE-2018-7733 | Hig | 0.57 | 8.8 | 0.00 | Mar 6, 2018 | An issue was discovered in YxtCMF 3.1. RbacController.class.php has CSRF, as demonstrated by modifying an administrator account via index.php/admin/user/add_post.html. | ||
| CVE-2018-7307 | — | Hig | 0.57 | 8.8 | 0.01 | Mar 6, 2018 | The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter. | |
| CVE-2018-7634 | Hig | 0.57 | 8.8 | 0.01 | Mar 1, 2018 | An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the… | ||
| CVE-2018-7590 | Hig | 0.57 | 8.8 | 0.01 | Mar 1, 2018 | CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in account creation. | ||
| CVE-2016-0295 | Hig | 0.57 | 8.8 | 0.01 | Feb 28, 2018 | Cross-site request forgery (CSRF) vulnerability in the IBM BigFix Platform 9.0, 9.1, 9.2, and 9.5 before 9.5.2 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111363. | ||
| CVE-2018-0520 | — | Hig | 0.57 | 8.8 | 0.01 | Feb 23, 2018 | Cross-site request forgery (CSRF) vulnerability in FS010W firmware FS010W_00_V1.3.0 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors. | |
| CVE-2018-0148 | Hig | 0.57 | 8.8 | 0.01 | Feb 22, 2018 | A vulnerability in the web-based management interface of Cisco UCS Director Software and Cisco Integrated Management Controller (IMC) Supervisor Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary… | ||
| CVE-2018-7308 | Hig | 0.57 | 8.8 | 0.01 | Feb 21, 2018 | A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account. | ||
| CVE-2018-7219 | Hig | 0.57 | 8.8 | 0.01 | Feb 19, 2018 | application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request. | ||
| CVE-2017-16756 | Hig | 0.57 | 8.8 | 0.01 | Feb 19, 2018 | An issue was discovered in Userscape HelpSpot before 4.7.2. A cross-site request forgery vulnerability exists on POST requests to the "index.php?pg=password.change" endpoint. This allows an attacker to change the password of another user's HelpSpot account. | ||
| CVE-2017-5796 | Hig | 0.57 | 8.8 | 0.02 | Feb 15, 2018 | A Remote Cross Site Request Forgery (CSRF) vulnerability in HPE 2620 Series Network Switches version RA.15.05.0006 was found. | ||
| CVE-2017-5781 | Hig | 0.57 | 8.8 | 0.01 | Feb 15, 2018 | A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 was found. | ||
| CVE-2017-17552 | Hig | 0.57 | 8.8 | 0.02 | Feb 7, 2018 | /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted. | ||
| CVE-2014-5280 | Hig | 0.57 | 8.8 | 0.01 | Feb 6, 2018 | boot2docker 1.2 and earlier allows attackers to conduct cross-site request forgery (CSRF) attacks by leveraging Docker daemons enabling TCP connections without TLS authentication. | ||
| CVE-2018-6288 | Hig | 0.57 | 8.8 | 0.01 | Feb 6, 2018 | Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1. | ||
| CVE-2018-6467 | Hig | 0.57 | 8.8 | 0.01 | Feb 6, 2018 | The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php. | ||
| CVE-2018-6651 | Hig | 0.57 | 8.8 | 0.02 | Feb 5, 2018 | In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In… | ||
| CVE-2015-4179 | Hig | 0.57 | 8.8 | 0.01 | Feb 5, 2018 | Multiple cross-site request forgery (CSRF) vulnerabilities in the Codestyling Localization plugin 1.99.30 and earlier for Wordpress. | ||
| CVE-2017-18080 | Hig | 0.57 | 8.8 | 0.01 | Feb 2, 2018 | The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability. |
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in DrayTek Vigor AP910C devices with firmware 1.2.0_RC3 build r6594 allows remote attackers to hijack the authentication of unspecified users for requests that enable SNMP on the remote device via vectors involving goform/setSnmp.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in YxtCMF 3.1. RbacController.class.php has CSRF, as demonstrated by modifying an administrator account via index.php/admin/user/add_post.html.
- risk 0.57cvss 8.8epss 0.01
The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the…
- risk 0.57cvss 8.8epss 0.01
CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in account creation.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in the IBM BigFix Platform 9.0, 9.1, 9.2, and 9.5 before 9.5.2 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111363.
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in FS010W firmware FS010W_00_V1.3.0 and earlier allows an attacker to hijack the authentication of administrators via unspecified vectors.
- risk 0.57cvss 8.8epss 0.01
A vulnerability in the web-based management interface of Cisco UCS Director Software and Cisco Integrated Management Controller (IMC) Supervisor Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary…
- risk 0.57cvss 8.8epss 0.01
A CSRF issue was found in var/www/html/files.php in DanWin hosting through 2018-02-11 that allows arbitrary remote users to add/delete/modify any files in any hosting account.
- risk 0.57cvss 8.8epss 0.01
application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in Userscape HelpSpot before 4.7.2. A cross-site request forgery vulnerability exists on POST requests to the "index.php?pg=password.change" endpoint. This allows an attacker to change the password of another user's HelpSpot account.
- risk 0.57cvss 8.8epss 0.02
A Remote Cross Site Request Forgery (CSRF) vulnerability in HPE 2620 Series Network Switches version RA.15.05.0006 was found.
- risk 0.57cvss 8.8epss 0.01
A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 was found.
- risk 0.57cvss 8.8epss 0.02
/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.
- risk 0.57cvss 8.8epss 0.01
boot2docker 1.2 and earlier allows attackers to conduct cross-site request forgery (CSRF) attacks by leveraging Docker daemons enabling TCP connections without TLS authentication.
- risk 0.57cvss 8.8epss 0.01
Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1.
- risk 0.57cvss 8.8epss 0.01
The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php.
- risk 0.57cvss 8.8epss 0.02
In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In…
- risk 0.57cvss 8.8epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in the Codestyling Localization plugin 1.99.30 and earlier for Wordpress.
- risk 0.57cvss 8.8epss 0.01
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.